[pacman-dev] [PATCH 2/2] doc, makepkg.conf: Deprecate md5sums, show examples using sha256sums.
Mike Swanson
mikeonthecomputer at gmail.com
Thu Feb 23 21:31:17 UTC 2017
---
doc/PKGBUILD-example.txt | 4 ++--
doc/PKGBUILD.5.txt | 31 +++++++++++++++++++------------
doc/makepkg-template.1.txt | 2 +-
etc/makepkg.conf.in | 2 +-
4 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/doc/PKGBUILD-example.txt b/doc/PKGBUILD-example.txt
index 910fd068..d4e1c9c1 100644
--- a/doc/PKGBUILD-example.txt
+++ b/doc/PKGBUILD-example.txt
@@ -12,8 +12,8 @@ depends=('glibc')
makedepends=('ed')
optdepends=('ed: for "patch -e" functionality')
source=("ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig})
-md5sums=('e9ae5393426d3ad783a300a338c09b72'
- 'SKIP')
+sha256sums=('9124ba46db0abd873d0995c2ca880e81252676bb6c03e0a37dfc5f608a9b0ceb'
+ 'SKIP')
build() {
cd "$srcdir/$pkgname-$pkgver"
diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt
index 18bc2a19..edf469fe 100644
--- a/doc/PKGBUILD.5.txt
+++ b/doc/PKGBUILD.5.txt
@@ -118,7 +118,7 @@ systems (see below).
+
Additional architecture-specific sources can be added by appending an
underscore and the architecture name e.g., 'source_x86_64=()'. There must be a
-corresponding integrity array with checksums, e.g. 'md5sums_x86_64=()'.
+corresponding integrity array with checksums, e.g. 'sha256sums_x86_64=()'.
+
It is also possible to change the name of the downloaded file, which is helpful
with weird URLs and for handling multiple source files with the same
@@ -146,19 +146,26 @@ contain whitespace characters.
listed here will not be extracted with the rest of the source files. This
is useful for packages that use compressed data directly.
-*md5sums (array)*::
- This array contains an MD5 hash for every source file specified in the
- source array (in the same order). makepkg will use this to verify source
- file integrity during subsequent builds. If 'SKIP' is put in the array
- in place of a normal hash, the integrity check for that source file will
- be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''.
- If desired, move the md5sums line to an appropriate location.
+*sha256sums (array)*::
+ This array contains a SHA256 hash for every source file specified in the
+ source array (in the same order). makepkg will use this to verify
+ source file integrity during subsequent builds. If 'SKIP' is put in the
+ array in place of a normal hash, the integrity check for that source
+ file will be skipped. To easily generate sha256sums, run ``makepkg -g
+ >> PKGBUILD''. If desired, move the sha256sums to an appropriate
+ location.
-*sha1sums, sha256sums, sha384sums, sha512sums (arrays)*::
+*sha384sums, sha512sums (arrays)*::
Alternative integrity checks that makepkg supports; these all behave
- similar to the md5sums option described above. To enable use and generation
- of these checksums, be sure to set up the `INTEGRITY_CHECK` option in
- linkman:makepkg.conf[5].
+ similar to the sha256sums option described above. To enable use and
+ generation of these checksums, be sure to set up the `INTEGRITY_CHECK`
+ option in linkman:makepkg.conf[5].
+
+*md5sums, sha1sums (arrays)*::
+ Alternative legacy integrity checks that makepkg supports. These are
+ supported for compatibility, but should not be used in current PKGBUILD
+ files due to known collision attacks on the algorithms, allowing
+ malicious files to pose as legitimate ones.
*groups (array)*::
An array of symbolic names that represent groups of packages, allowing
diff --git a/doc/makepkg-template.1.txt b/doc/makepkg-template.1.txt
index 99637d43..53cb4997 100644
--- a/doc/makepkg-template.1.txt
+++ b/doc/makepkg-template.1.txt
@@ -88,7 +88,7 @@ Example PKGBUILD
license=('PerlArtistic' 'GPL')
depends=('perl')
source=("http://search.cpan.org/CPAN/authors/id/S/SH/SHERZODR/Config-Simple-${pkgver}.tar.gz")
- md5sums=('f014aec54f0a1e2e880d317180fce502')
+ sha256sums=('dd9995706f0f9384a15ccffe116c3b6e22f42ba2e58d8f24ed03c4a0e386edb4')
_distname="Config-Simple"
# template start; name=perl-module; version=1.0;
diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
index 71293970..24b83d18 100644
--- a/etc/makepkg.conf.in
+++ b/etc/makepkg.conf.in
@@ -86,7 +86,7 @@ BUILDENV=(!distcc color !ccache check !sign)
OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !debug)
#-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
-INTEGRITY_CHECK=(md5)
+INTEGRITY_CHECK=(sha256)
#-- Options to be used when stripping binaries. See `man strip' for details.
STRIP_BINARIES="@STRIP_BINARIES@"
#-- Options to be used when stripping shared libraries. See `man strip' for details.
--
2.11.1
More information about the pacman-dev
mailing list